Fix: Gitlab runner repository GPG key permission check by making keyring-path configurable

README.md

@@ -30,6 +30,10 @@ Role Variables
 - `gitlab_runner_listen_address` - Enables the `/metrics` endpoint for Prometheus scraping.
 - `gitlab_runner_runners` - A list of GitLab runners to register and configure. By default, this is set to a single shell executor.
 - `gitlab_runner_skip_package_repo_install` - Skips the installation of the APT or YUM repository (default: false). You should ensure that the necessary packages are available in your repository before running this role.
+- `gitlab_runner_keyring_path` - Path to the GitLab Runner repository GPG keyring file (default: `/etc/apt/keyrings/runner_gitlab-runner-archive-keyring.gpg`).
+  - Set to `/etc/apt/keyrings/runner_gitlab-runner-archive-keyring.gpg` (default) if using APT > 1.1
+  - Set to `/etc/apt/trusted.gpg.d/runner_gitlab-runner.gpg` if using legacy APT < 1.1)
+  - Set to custom path if you expect a different location for the keyring
 - `gitlab_runner_config_update_mode` - Defines how configuration updates are applied:
   - Set to `by_config_toml` (default) to apply configuration changes directly by updating the `config.toml` file.
   - Set to `by_registering` if changes should be applied by unregistering and re-registering the runner when configuration changes.

defaults/main.yml

@@ -68,6 +68,13 @@ gitlab_runner_session_server_session_timeout: 1800
 # Use this if you use a mirror repository
 # gitlab_runner_skip_package_repo_install: true
 
+# Path for the GitLab runner repository GPG keyring.
+# The GitLab installation script places the keyring in different locations depending on APT version:
+# - Modern APT (>= 1.1): /etc/apt/keyrings/runner_gitlab-runner-archive-keyring.gpg
+# - Legacy APT (< 1.1): /etc/apt/trusted.gpg.d/runner_gitlab-runner.gpg
+# Change this if you expect the keyring to be somewhere else.
+gitlab_runner_keyring_path: /etc/apt/keyrings/runner_gitlab-runner-archive-keyring.gpg
+
 gitlab_runner_config_update_mode: by_config_toml
 gitlab_unregister_runner_executors_which_are_not_longer_configured: false
 
@@ -140,7 +147,7 @@ gitlab_runner_runners:
     # The executor used by the runner.
     executor: shell
     # The authentication token.
-    # Needs to be provided when gitlab_runner_registration_token_type is set to 'authentication-token' 
+    # Needs to be provided when gitlab_runner_registration_token_type is set to 'authentication-token'
     # token:
     # Set maximum build log size in kilobytes.
     output_limit: 4096

tasks/install-debian.yml

@@ -19,14 +19,21 @@
   become: true
   when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install
 
-- name: (Debian) Ensure Gitlab runner repository GPG key is readable by everyone
+- name: (Debian) Find GitLab runner repository GPG keyring
+  ansible.builtin.stat:
+    path: "{{ gitlab_runner_keyring_path }}"
+  register: gitlab_runner_keyring_stat
+  when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install
+
+- name: (Debian) Ensure GitLab runner repository GPG key is readable by everyone
   ansible.builtin.file:
-    path: /etc/apt/keyrings/runner_gitlab-runner-archive-keyring.gpg
+    path: "{{ gitlab_runner_keyring_path }}"
     owner: root
     group: root
     mode: "0644"
-    state: file
-  when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install
+  when:
+    - gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install
+    - gitlab_runner_keyring_stat.stat.exists
 
 - name: (Debian) Update gitlab_runner_package_name and gitlab_runner_helper_package_name
   ansible.builtin.set_fact: